Forum Discussion
Jgawrych_43121
Nimbostratus
NimbostratusTCP reset when Multple irules applied
Hi all,
Here's my scenario. I have two functional requirements below.
1) if we enable a maintenance window by disabling all nodes in a pool or if all nodes in the pool are down for whatever reason, redirect end user browser to our maintenace site. (irule_MaintenancePageOnAllNodeFailure )
2) On a HTTP VServer, redirect all traffic to HTTPS (irule_HTTPtoHTTPsRedirect)
I have two I rules written for this (see below) and when I apply them individually and test they work perferectly as expected.
My problem is when I have both rules applied (irule_MaintenancePageOnAllNodeFailure is applied first and irule_HTTPtoHTTPsRedirect is second in the vertual server) AND I then disable all the nodes in the pool (going into maintenance period). What I'm expecting to have happen is for the end user browser to be redirected to my maintenance page.
What ends up happening is that the end user browser immediately comes back with 'The page cannot be displayed' in Internet Explored and 'The connection was reset' in Firefox.
I put a packet sniffer on this to finally figure out what was going on. Looking at the packet trace, the LTM does send a redirect to the browser client but also immediately sends a TCP reset to the browser client.
Also, Looking in the LTM logs I get the below error, which only shows up when I have the above scenario:
Fri Mar 28 12:12:57 PDT 2008 tmm tmm[929] 01220001 TCL error: Rule irule_HTTPtoHTTPsRedirect HTTP_REQUEST - Operation not supported. Multiple redirect/respond invocations not allowed line 1 invoked from within HTTP::respond 301 Location https://[getfield [HTTP::host] : 1][HTTP::uri]
Looking at the browser behavior, it looks like the browser reacts to the TCP reset and never attempts to process HTTP redirect and open a HTTP session to my maintenace page. So I need to figure out a way to meet my functional requirements without the LTM sending a TCP reset as part of the communications.
Looking at the LTM, it looks like in my particular test scenario the LTM is unhappy about something. (especially looking at the error in the LTM log). It appears to be processing the redirect, but then chokes when hitting the redirect to SSL irule.
- Can anyone offer any suggestions?
- Do I need to moodify my irules? Add an addional check in the rules? (I'm trying to leave them as generic as possible to allow reuse across multiple Vservers)
- Do I have a logic error in how I have the rules applied, or possibly I'm not understanding the processing logic for when multiple irules are in place?
Thanks in advance!
-John G
irule_MaintenancePageOnAllNodeFailure
Generic iRule to redirect all traffic when all nodes in a pool are down/disabled.
when HTTP_REQUEST {
if {[active_members [LB::server pool]] == 0} {
HTTP::redirect "http://maintenance.sitename.com/"
}
}
irule_HTTPtoHTTPsRedirect
Generic rule to redirect all traffic from HTTP to HTTPS.
Takes into account HOST & URI::basename
Taken from:
http://devcentral.f5.com/wiki/default.aspx/iRules/HTTPToHTTPSRedirect_301.html
when HTTP_REQUEST {
HTTP::respond 301 Location "https://[getfield [HTTP::host] : 1][HTTP::uri]"
}
Nicolas_MenantEmployee
Hi,
When you have a TCL error message within an iRule the BIGIP send a reset to the client. So in your case you need to fix the issue you see to avoid this TCP reset.
the thing is that when all your pool members are disabled the BIGIP tries to:
redirect the user (first iRule) and then then a respond to the user. It definitely conflicts.
You should try the following:
if it's fine to merge both iRule:when HTTP_REQUEST { if {[active_members [LB::server pool]] == 0} { HTTP::redirect "http://maintenance.sitename.com/" } else { HTTP::respond 301 Location "https://[getfield [HTTP::host] : 1][HTTP::uri]" } }
if you wish to use two different iRules:when HTTP_REQUEST priority 1{ if {[active_members [LB::server pool]] == 0} { HTTP::redirect "http://maintenance.sitename.com/" event disable all } }
event with the smallest priority will be applied first.
event disable all means that all other iRule will be disabled so that it won't be activated and conflicted
HTH
andwhen HTTP_REQUEST { HTTP::respond 301 Location "https://[getfield [HTTP::host] : 1][HTTP::uri]" }
Jgawrych_43121
Hi nmenant - I added the 'event disable all' to my irule_MaintenancePageOnAllNodeFailure
and that completely fixed the issue. Many thanks for the suggestion!
For anyone else, I have a follow up question: Is there any wiki, email threads, posts, knowedge base articles, etc that go over the LTM processing logic when there are multiple iRules applied? Looking through this, the LTM didn't like that I had two redirects being processed (redirect to maintenance page and then redirect to SSL). I'm trying to get a better grasp of how the LTM handles this stuff under the hood to avoid problems with any future iRules I try to create.
Many Thanks!
-John G- The_BhattmanClick here to see information regarding placing events in an iRULE in priority.
When it comes to multiple irules applied the order of sequence is irule is processed before anything is processed at the default pool or persistance. In regards to Irule order execution you can managethat within the GUI where you select which irule you want to process for the begining to the end.
Hope this helps.
/CB - Jgawrych_43121>>>.regarding placing events in an iRULE in priority.
Hi Thanks! I have seen the priority syntax for controlling how irules are managed within a given iRule. I was hoping to see if there was any additional background info on how the LTM handles processing (and maybe more importantly - conflicts) when there are multiple iRules applied.
Thanks!
-John G
